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Abstract. We analyse the complexity of the computation of the class group 
structure, regulator, and a system of fundamental units of a certain class of 
number fields. Our approach differs from Buchmann's, who proved a complex- 
ity bound of L(l/2,0(1)) when the discriminant tends to infinity with fixed 
degree. We achieve a subexponential complexity in 0(L(l/3, 0(1))) when both 
the discriminant and the degree of the extension tend to infinity by using tech- 
niques due to Enge and Gaudry in the context of algebraic curves over finite 
fields. 



1. Introduction 

Let K = Q(6') be a number field of degree n and discriminant A. The ideal class 
group of its maximal order Ok is a finite abelian group that can be decomposed as: 

C1(Ok) = 0ZMZ, 

i 

with di I di+i. Computing the structure of CI(C'k), along with the regulator and a 
system of fundamental units of Ok is a major task in computational number theory. 
In addition, many algorithms solving the discrete logarithm problem are based on 
the group structure computation. 

In 1968, Shanks [121 HSj proposed an algorithm relying on the baby-step giant- 
step method to compute the structure of the ideal class group and the regulator of 
a quadratic number field in time O (|A|^/^+'^), or O (|A|^/^+'^) under the extended 
Riemann hypothesis [lOj . Then, a subexponential strategy for the computation 
of the group structure of the class group of an imaginary quadratic extension was 
described in 1989 by Hafner and McCurley [9J. The expected running time of this 
method is 

La (1/2, V2 + 0{1))^ g(y2+o(l)) Vlog I A| log log |A| _ 

Buchmann [2] generalized this result to the case of an arbitrary extension, the 
complexity being valid for fixed degree n and A tending to infinity. Enge [5] used 
this technique in the context of discrete logarithm computations in the Jacobian 
of hyperelliptic curves, and developed with Gaudry [6] an algorithm for computing 
the group structure of the Jacobian and solving the discrete logarithm problem for 
a certain class of curves in time: 

V (1/3, 0(1)) = eO(i)(i°g(«')^'^i°gi°s(?^)''^). 
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In this paper, we adapt the L(l/3) algorithm of Engc and Gaudry to the computa- 
tion of the group structure of the ideal class group, the regulator, and a system of 
fundamental units of Ok- We deal with the case where both the discriminant and 
the degree of the extension grow to infinity in certain proportions, whereas in [2] 
the degree is assumed to be fixed. 

2. Main idea 

We consider a number field K = 0(9) of discriminant A which can be written 



with T{X) = t„X" + t„_iX"-i + ...+tQ e Z[X], and n [K : Q]. Let d be a 
bound on the bit size of the coefficients of T: 

d :— max{log(ti)} . 

i 

In addition, we require that: 

(1) n<nolog(|A|)"(l + o(l)) 

(2) d < do log (|A|)i-" (1 + 0(1)), 

for some a G [■j? f [i and some constants no and do- Wc define n := nodo. We also 
denote by ri the number of real places, by r2 the number of complex places and we 
define r := ri + r2 — 1. Our algorithm computes the group structure of C1(Z[6']), 
its regulator, and a system of fundamental units of in expected time lying in: 

0(LDisc(T)(l/3,0(l))). 

In the case of number fields satisfying Z[6] = Ok and the above restrictions, we 
compute the group structure of CI(C'k), and a system of fundamental units, in 
expected time La(1/3, 0(1)). From now on, we assume that K satisfies dT]), ([2|), 

and Z[e] ^ Ok- 

Example. Let A G Z, and 'Kn^K be an extension of Q defined by an irreducible 
polynomial of the form: 

T{X) = X" - K, 



with 



log(|A|)i-" 



logK 
n=Llog(|A|)"J, 
for some a G Then, Ok„ ^ has discriminant satisfying: 

log(Disc(OK„,,,)) = log(n"A'"-i) = log(|A|)(l + o(l)). 

If in addition we require that n and K be the largest prime numbers below their 
respective bounds such that: 

then we meet the last restriction Z[6] = Ok„ k- 

We proceed by analogy with the approach of |6j in the context of algebraic curves, 
where the authors examined curves of the form: 

C : r" +X'^ + /(X,y), 
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such that any monomial X''Y^ occming in / satisfies ni + dj < nd. The genus g is 
assumed to tend to infinity and: 

The idea in is to look for functions (j){X,Y) G Fq[X, F] satisfying: 
degv.0«5"-i/3 deg;,0«g2/3-a^ 

with M{<j)) splitting into polynomials of degree bounded by i? = log (L(l/3, p)) for 
some number p determined in the complexity analysis. Each time such a decompo- 
sition occurs, the ideal (cj)) is necessarily a product of primes belonging to the set 
B of the prime ideals of degree bounded by B: 

PieB 

Such a decomposition of a principal ideal is called a relation. In the following, we 
will also denote the vector (e^) itself a relation. Every time we find a relation, we 
add the row vector (e^) to a matrix M G Z"^^^ called the relation matrix, where 
N := \B\, and m > fc is the number of relations collected. A linear algebra step 
is performed on this matrix. It consists in computing its Smith Normal Form, 
that is to say integers di, . . . , d^v, with (ijv|djv-i| • • • |di, such that there exist two 
unimodular matrices U G ^^x™ and V £ Z^^^ satisfying: 



M 



di (0) 
(0) dk 



(0) 



V 



(0) 



V. 



J 



The SNF of M provides us with the group structure of the Jacobian of the curve C. 
Indeed, if £z is the lattice spanned by all the possible relations, and if denotes 
the Jacobian of C, then we have: 

J ~ 

Providing m is large enough to ensure that the rows of M generate £z, we have: 

J^^Z/d,Z. 

i 

In our context, we need the group structure of C1(Ok), along with the regulator 
R, and a system of fundamental units of Or. The computation of the group struc- 
ture of CI(C'k) is done using methods similar to those used for the computation of 
the structure of J . We look for relations of the form: 



where (/) G K, and where the are prime ideals of norm bounded by L(l/3,p). 
Every time we find such a relation, we add the row vector {ei)i<N to the relation 



4 



JEAN-FRANgOIS BIASSE 



matrix denoted by AIz G Z™^^. To continue the analogy with [6], we require that 
ip be of the form: 

where A G Z[X] of degree k. During the analysis, we will provide bounds on k and 
on the coefficients of A, that delimit the search space. Providing the rows of Mj, 
generate the lattice £z of all the possible row vectors (ei)i<jv G Z^ representing a 
relation, we have: 

ci(Ok) ^z^//:z=^ 0ZMZ, 

i<N 

where the di are the diagonal coefficients of the SNF of M^. The main difference 
with the context of algebraic curves is the computation of R and of a system of 
fundamental units. The group of units of Ok is of the form: 

U{K) ~ n{K) X Z^ 

where /x(K) is the multiplicative group of the roots of unity in Ok- A system of 
fundamental units (7^), i < r, is a set of elements of K satisfying: 

U(K) ~ ti{K) X (71) X ... X (7,) . 

Once such a system is found, we use the logarithm map: 

IK — > 

Log: I — > (log|(/)|i,...,log|0|,.+i), 

where the are the archimedian valuations on K, to construct a matrix A G 
]grx(r+i) .^^jj^Qgg rows are the vectors Log{(j)i), for i < r. The regulator is defined as 
the determinant of any r x r minor of A. To construct A and a system of funda- 
mental units, we augment the row vectors by columns containing the archimedian 
valuations, and add the row: 

(ei, . . . , efc, log I0I1, . . . , log \cf>\r+i) G Z^ X 

to a relation matrix M whenever a relation {(p) — Y[i Pi' is found. A linear algebra 
step performed on M provides us with the group structure, the regulator, and a 
system of fundamental units. It is described in detail in 21 

3. The relation matrix 
Let p be a constant to be determined later, and B a smoothness bound satisfying: 

B=\LA{l/3,p)^. 

We define the factor base B as the set of all non inert prime ideals of norm bounded 
by B. This factor base has cardinality: 

N:^ |6|-L(l/3,p+o(l)). 

In the following, we will need to test the smoothness of principal ideals of the form 
{(j>), where (f> = A{6) with A G Z[X]. We will use the well-known result that is 
proved in Lemma 3.3.4: 

Lemma 1. The norm of (f> satisfies: 

N[4')^Res {T{X),A{X)), 

where Res denotes the resultant. 
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Computing Af{(l>) ior (j) E K allows us to decide whether is a product of prime 
ideals p E B. Indeed, it suffices to check if J\f{(l>) S Z is _B-smooth which can be 
done by trial division or the ECM method in polynomial time. We assume that the 
coefficients of the polynomial A have their logarithm bounded by an integer a, 
and that there exist two constants 6 and v to be determined later such that: 

Klog |A|/n 



(3) a< 



(4) k < 



(log|A|/M)i/3 
n 



(log|A|/7W)i/3 

with A4 := loglog|A|. Using Lemma[T]and Hadamard's inequality, we deduce an 
upper bound on logAf^fj))- 

(5) log JV{(j>) < na + dk + n log k + k log n 

(6) <K\og{\A\f/''M^/\6 + iy + o{l)). 

In the following, we will also need a bound on the real coefficients log \ (f)\i occuring 
in the relation matrix. By the following proposition, we derive a bound on the 
log \d\i from the imposed bounds on the coefficients of T: 

Proposition 2. Let Ui he the n complex emheddings of K. such that we have T = 
Y\^{X — ai{6)), then the ai{9) satisfy: 

log(|0|,) = log(|a.(0)|)=O(log(|A|)i-"). 

Proof. Landau- Mignotte's theorem jTTj states that if D | T with degD — ni, then 
the coefficients dj of D satisfy: 

|d,|<2"-H|T|+t„), 

where |T| is the euclidian norm of the vector of the coefficients of T. Applying this 
to D = X — ai (9) and m — 1 allows us to obtain: 



iog(|0|.)<iog(|r|+t„)eO(iog(|A|)i-") 



□ 



Corollary 3. With (j) = A, and a and k respectively bounded by and we 
have: 

log|</)|, <0(log(|A|)'/3A^i/3). 

To compute the probability for (j) to be ;B-smooth, we have to make the following 
assumption: 

Heuristic 4. We assume thatj\f{(j)) behaves like a random number whose logarithm 
satisfies 

log(AA(0)) < L := K\og{\A\f/^ M^/^{6 + + 0(1)), 
and whose distribution is given by the ip function of [3] . 

Consequently, computing the probability for a given (0) to be S-smooth boils 
down to computing the probability for a number whose logarithm is bounded by l 
to be smooth with respect to prime numbers with logarithm bounded by 

/i:= rplog(|A|)^/^A^2/3^. 

Using [3j , and carrying out the same computation as in the proof of Theorem 1 of 
[B] , one readily shows the following result on the probability of finding a relation: 
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Proposition 5. Let: 

L=[\ogL{C,c)\ = Lclog(|A|)«Xi-?J 



then we have: 



M= riogL(/3,d)l = \d\ogi\A\f M'-f"], 



^>^(c-/3,^(C-/3) + o(i) 



where denotes the cardinality of the set of integers x such that \ogx < l, 

and X is smooth with respect to the set of prime numbers p such that \ogp < fj,. 



4. The linear algebra phase 

In this section, we start with an overview of the linear algebra phase, then we 
address its complexity in Sj47T]and ^14. 21 We denote by M the relation matrix whose 
rows lie in Z-^ x ]R''+^, and by and Afj} the matrices formed respectively by the 
first N and the last ?■ + 1 columns of M. M thus has the following shape: 




To make sure we generate the full lattice of relations, we make the following as- 
sumption: 

Heuristic 6. We assume that there is a constant Ki such that collecting N + Kir 
allows us to generate the full lattice of relations. 

In the following, we assume that Heuristic [6] is satisfied. If this is not the case 
(which can be tested easily as we will see at the end of this section), we start all over 
again and construct another relation matrix. A^r contains rational approximations 
of the log|0i|j for i < + Kir and j < r + 1: the discussion of approximation 
issues when we add or multiply two real numbers is postponed to ^J5l As the rows 
of M are assumed to generate the full lattice of the relations, the determinant of 
the lattice Cz spanned by the rows of Mz gives us the class number /i(Ok), and its 
Smith Normal Form diag((ii, . . . , djy) gives us the decomposition 

ci(Ok)^z^//:z^0zmz. 

i 

On the other hand, we need to construct r relations of the form 

(0, . . . ,0,log|7|i, . . . ,log|7|^+i), 

along with the corresponding values of 7 (that are necessarily units), such that 
these relations generate the lattice £r of relations whose integer part contains only 
zero coefficients. To do this, we compute separately the Hermite Normal Form of 
Mz and a basis {uj)j<i with I < Kir of the kernel of Mz- Then, we apply the 
Uj to Mr, thus obtaining a matrix Ar € whose rows correspond to the 

archimedian valuations of units {Pj)j<i- More details on this part of the algorithm 
are given in H4.ll To compute the regulator R, we need to find r combinations 
of rows of Ar, along with the corresponding units {'ji)i<r, that span the lattice of 
units Cr. This procedure is described in H4.2I 
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At the end of the linear algebra phase, we have to check a posteriori that N+Kir 
relations were enough to generate Ci and Cr. The analytic class number formula 
provides a number h* computable in polynomial time satisfying: 

h* < h{OK)R < 2h*. 

Before going into more details on the linear algebra phase, we recall the main steps 
of this process: 



Algorithm 1 Linear algebra phase 
Input: M 

Output: /i(C'k), the structure of C1(Ok), R, and a system of fundamental units 
1: Compute the HNF of M^. 

2: Compute the SNF of Mz and deduce ^.(C'k) and the group structure of CI(C'k)- 
3: Compute a basis {uj)j<i of kerMz and deduce Ar 

4: Find r independent relations generating Cr along with the corresponding units. 
5: Compute the determinant R of £r. 

6: Compute h* and check if h* < h{0-K)R < 2h*. If not create another M and go 
back to step one. 



Notation 7. In the following, denotes the row number i of the matrix X . 

4.1. Hermite and kernel basis computation. To obtain the matrix At^, we 
apply the kernel basis computation algorithm described in '8 to the rectangular 
matrix A/^. It provides I < Kir vectors Uj in Z^'^^'-'^ representing linear depen- 
dencies between the rows of M^. Applying those linear combinations to the rows 
of M yields I relations with zero coefficients on the first N coordinates. We denote 
by £r the lattice of the relations having only zeros on their first TV coordinates. As 
we assume Heuristic [HI these I relations generate £k. The last r + 1 coordinates of 
each of the I relations created this way are added as a row vector to the matrix ^r. 
In addition, for every Uj of the form: 

and for all j < I, the value Pj — Yii 4>i ' is the unit corresponding to the row 

i 

As we will see in JJSI the coefficients uj*'' are too large to allow us to compute directly 

J^j 0,j ^ in subexponential time. We thus give the units [3j in compact representa- 
tion, that is to say by storing the Uj. It is proved in [14j that the computation of 
the Uj takes: 

0(;2Ar3(iogAr + iog|Mz|), 

where \Mj] — max^j llM^"* ]!. We need a bound on \Mj] to express this complex- 
ity in terms of the size of the input: 
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Proposition 8. satisfies: 

|Mz| = 0((log|A|)2/3 (loglog|A|)i/3). 

Proof. We restricted ourselves to (j> satisfying 

log(AA(0)) < K (log |A|)'/^ (log log |A|)'/' {6 + ,. + o(l)). 

If A/'(0) = Yii-^iPiT' y then we clearly see that the vector (e^) having the largest 
coefficient under the previous constraint is the one where ei is maximal and all the 
others are set to zero, providing we set pi to the prime ideal of smallest norm. In 
that case, ei satisfies: 

ei = 0((log|A|)^/^ (loglog|A|)^/^). 

□ 

Corollary 9. The complexity of the computation of the kernel basis of Mz is 
bounded by: 

0(L(l/3,3p+o(l)). 

We use the HNF algorithm described in f8j. Its bit complexity is bounded by: 

O (iN^ (logiV + log |Mz|)' + (logiV + log |Mzp)) . 

This allows us to determine explicitly the expected time taken by the computation 
of the HNF and of the kernel basis of Mz with respect to the size of the entries: 

Proposition 10. The computation of the HNF and of the kernel basis of Mx has 
bit complexity bounded by: 

0(L(l/3,5p+o(l)). 

In the following, we will need bounds on \uj \ and on |^r|. Direct application of 
the methods used in 8J leads to the following result: 

Lemma 11. and |Ar| satisfy: 

logl^i^-l =0(L(l/3,p + o(l)) 
logl^Rl =0(i(l/3,p + o(l)). 

4.2. The computation of R and of the system of fundamental units. To 

compute the regulator and a system of fundamental units, we have to find a set 
of r row vectors that span £r. To do that, we take successive r x r determinants 
from submatrices extracted from Ar, and we perform some elementary operations 
on the rows of Ar. This procedure is described in Algorithm [21 which was first 
introduced in [Ij, Algorithm 6.5.7. It makes use of the real GCD algorithm, which 
is also presented in [3], Algorithm 5.9.3. Given two multiples of the regulator aR 
and where a and h are integers, the real GCD algorithm outputs di?, where d 
is the GCD of a and &, under the assumption that R > 0.2. Algorithm [2] also calls 
the pre-computation step described in Algorithm[3l This step, not presented in [4], 
is essential to ensure the validity of Algorithm [21 
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Algorithm 2 Computation of the regulator and a system of fundamental units 

Input: and the corresponding units /3i 
Output: R and a system of fundamental units 

i^r -2 

Find r linearly independent rows using Algorithm [3] 
while i < I do 

Let A be the matrix obtained by extracting any r columns and rows i — r + 2 
to i from Ar. 
i?2 ^ det A 

Using the real GCD algorithm, compute u, v, such that 

uRi + ui?2 = i?3 

i + 1 
end while 

R < — Ri 



Algorithm 3 Search for r independent rows 
Input: Ar 

Output: A permutation of the rows of Ar such that the first r are independent 

Ai ^ rf « 
i ^ 1 

for i = 2 to r do 

m <— i 
ret ^ 

while ret = do 



if det(A*Aj) = then 

TO ^ TO + 1 

else 

Swap rf * and 
ret ^ 1 
end if 
end while 
end for 



The main loop of Algorithm[2]ensures that the sub-lattice >CJj of £r corresponding 
to the 7;, for i — (r — 1) < Z < i, has determinant R3. Indeed, C'-^ is the sum of two 
sub-lattices of £r differing by a single element. The sign (—1)'' is the signature of 
the permutation that is performed before this addition to make sure that uRi + 



A,. 



Ar-l 
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fi?2 ~ R3 holds by multilinearity of the determinant. The precomputation done 
with Algorithm [3] ensures that the first determinant computed is not null, which is 
essential for the completeness of Algorithm [51 Whenever det(A*Ai) 7^ 0, we have i 
linearly independent rows. 

We postpone the computation of the complexity of Algorithms [2] and [3] to S|5l 
where we calculate the precision we have to take for the rational approximations 
of the logarithms. In ^ we also ensure that this precision is accurate enough to 
enable us to decide whever det{AlAi) = or not. Algorithm 3] describes the real 
GCD computation. Its presentation and correctness can be found in [4 . 

Algorithm 4 Real GCD algorithm 

Input: Ri = aR and R2 = bR with R > 0.1, Ri > R2 and a,b E Z 
Output: i?3 = dR and u,v E "E such that uRi + VR2 = R3 
uo <- 1, Wo 
ui ^ 0, wi ^ 1 
while i?2 > 0.1 do 

q ^ [Ri/R2\ ,r^Ri-R2 lRi/R2\ 

ui ^ uq — qui 

vi vq- qvi 

Ri ^ R2 

R2^r 
end while 

R3 ^ Ri 

U ^ Ul, U <— Wl 



5. Approximation issues 

The matrix Mr contains fixed point rational approximations x'lj of the loga- 
rithms of the units := log In this section, we discuss the precision of the 
computation of the regulator. In the following, we count the precision in bits. For 
example, we say that a; is a rational approximation of a; g M with precision q if 
|a; — a;| < 2""^. Let go be the precision of the matrix Mr. We have for i < N + Kir 
and j < r + 1: 

[log i^ij-n 

Xij = ^ 2 ai, 

k=-qo 

where the a]^ are the coefficients of the development of Xij as X)fe!L-oo '^'^^k ■ Before 
establishing the list of the steps where we might loose precision, we recall the 
following result that we will use to estimate the loss of precision whenever we add 
or multiply rational approximations: 

Lemma 12. Let x and y be rational approximations oj precision qi of respectively 
X and y, and u E I1 such that [logj u\ = q2 < qi, then: 

• X + y is a rational approximation of x + y of precision qi — I. 

• ux is a rational approximation of ux of precision qi ~ q2- 

• xy is an approximation of xy of precision qi — maxjlogj |a;|,log2 |y|}. 

(70 is the precision taken for the approximation of the log \4>i\j- We set its value 

to: 

go :=i(l/3,3p). 
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The computation of the approximate value of each log \(j)i\j for j < N + Kir and 
j < r + 1 takes 0(M(go) logqo) e O (i(l/3, + o(l))) bit operations 1]. As we 
have to perform this computation 

(r + 1)(7V + Kir) e O (£(1/3, p + o(l)) 

times, the time taken for the creation of A^r is bounded by O (L(l/3,3p + o(l))). 
Now, let us procede with the enumeration of the steps in the algorithm that dete- 
riorate the precision. The first source of error is the computation of the coefficients 
of the matrix Ar. Indeed, it contains rational approximations of 

N+Kir 

"i'^log|(?!),|j, 

1=1 

for j = 1, . . . , Z. The loss of precision is due to the multiplications by the and 
to the N + Kir additions. We deduce from Lemma [TT] the following proposition 
that gives us the loss of precision occuring in the computation of the coefhcients of 
with respect to the original precision taken during the construction of M: 

Proposition 13. The computation o/ uj*-* log 10^1 j for j ~ l,...,r+l, with 
precision q' , requires that the precision qo of the log \4>i\j be: 

q' + N + Kir + max |log2 {uf \ | . 

Thus, the loss of precision during the computation of Ar is bounded by 

0{L(l/3,p + o{l))). 

Proof. Multiplying log2 \(t>i\j by Ui induces a loss of 

log2|u,|eO(L(l/3,p + o(l))) 

bits of precision. Furthermore every addition induces the loss of one bit of precision. 
As we perform N+Kir ~ 0{L{l/3, p+o(l))) of them, we thus lose another N+Kir 
bits of precision. Consequently, the total loss of precision is bounded from above 
by: 

iV + Xir + max |log2 |uf |} G 0(L(l/3, p + o(l))). 

□ 

Once is obtained, we need to compute successive rxr determinants extracted 
from this matrix. Every computation of such a determinant induces a loss of pre- 
cision. The following proposition allows us to evaluate the loss of precision for one 
computation of an r x r determinant of a matrix Q extracted from A^. 

Proposition 14. The computation with precision q' of the determinant of an r xr 
matrix Q extracted from Ar, and which is a rational approximation of & W^^ , 
requires that 

q = q' + (r/2 + 1) log2(r) log2 {\nr' + l) , 

where q is the precision of the coefficients o/Ar, and \^\ = maxj.j |f2y|. Thus, the 
loss of precision during the computation of the determinant of an r x r submatrix 
of A-R is bounded by O (L(l/3, p + o(l))). 
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Proof. Wc know that Q ~ {lui, . . . ,LUr) and 17 — (oji, . . . ,LUr) are r x r matrices 
with r < n ^ 0(log2 (|A|)") and jil — iij < 2^^, and furthermore, by lemma fTT| H. 
satisfies log2 e 0{L{l/3, p+o{l))). We have by multilinearity of the determinant 
and by Hadamard's inequahty: 

r 

I det Cl — det i7| = | det(a-'i, . . . , Wi^i, a)i — uji, Wi+i, . . . , a)r)| 
1=1 

< r''/2+i (117^^-1 + 1)2-?. 
Thus, the loss of precision is of 

(r/2 + 1) log2(r) log2 {\nr' + l) = 0(L(l/3, p + o(l))). 

□ 

The last source of loss of precision is the series of multiplications and additions 
involved in the computation of the real GCD of two approximations of multiples of 
the regulator. The following proposition gives us this loss of precision during the 
successive real GCD computations in Algorithm [21 knowing from Heuristic [6] that 
the real GCD need not be called more than Kir times. 

Proposition 15. // we have the determinants of the successive r X r matrices with 
precision q, then we can obtain the regulator with precision q' providing 

'7 = 9' + ^^log2W log'l^Kl- 

Thus, the loss of precision during the successive real GCD computations is hounded 
6?/0(L(l/3,2p+o(l))). 

Proof. Whenever we compute another determinant i?2 of an r x r matrix extracted 
from Ar, we have to perform the step 

Ri ^ R2 — Ri\_R2/ Ri\ 

at most log2 R2 times to get the real GCD of Ri and R2 , where Ri is the previous 
approximation of the regulator R. We know that the coefficients of the submatrix 
whose determinant is R2 have bit size bounded by 

log2 \n\ < log, |Ak| e 0(L(l/3, p + 0(1))). 
By Hadamard's inequality, we have: 

log2 R2 < r/2 log2 r log2 \A^\ ^ 0(L(l/3, P + o(l))), 
which gives us an upper bound on the number of times we enter the main loop of 
the real GCD algorithm. Every multiplication Ri -^J induces the loss of at most 

log2 R2 bits of precision. Thus, the total loss of precision of one call to the real 
GCD algorithm is of: 



- log2(r) logi \Au\^0 (L(l/3, 2p + o(l))) . 

As we know that Algorithm [4] is called at most Kir times, the loss of precision after 
the Kir calls for the real GCD algorithm is still of L(l/3, 2p + o(l)) bits. The last 

thing we have to do is to check the validity of the value -^J . Indeed if R2/R1 is 
close to an integer, then we risk to compute ± 1. Assume that Ri = kiR and 
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i?2 — k2R, with fci = k[d, k2 — fcjd, and with k[ and ^2 coprime. Theoretically, we 
have 

IR2/Ri\ = Lfc2/fciJ, 

but we can obtain the wrong value if k'2 ^ Kk[ for some integer K, the worst 
case scenario being = Kk[ ± 1 (we cannot have fcg ~ Kk'^ since k'^ and ^-re 
coprime). In that case, we have: 



1 



Thus, we need that the precision be at most of 21og2 \k'i\. As the loss of pre- 
cision encountered so far is in O (L(l/3, 2/9 + o(l))), and as the original preci- 
sion is in O (L(l/3, 3p + 0(1))), the current precision of the value -^J is still 

in 0(L(l/3,3p + o(l))). Furthermore, log2|fci| < log2 i?i < L(l/3, p + o(l)), so 
the condition is satisfied and the value of the quotient can be trusted. □ 



TV + Kir + max {logs l} + ^ ^ogl{r) log^ |Ak| e O (L(l/3, 2p + o(l))) . 



Corollary 16. The total loss of precision is of: 

Kir^ 

These considerations allow us to evaluate the complexity of Algorithmic] Indeed, 
it consists of at most Kir computations of the determinant of an r x r submatrix 
Ct of ^R. Let / C [1, K2r] and J C [1, r + 1] both be subsets of cardinality r such 
that Cl =: {yij)ieijej- In addition, wc define A = {aij)i,=i,j,= j G Z^^^ such that it 
satisfies: 



[iog2 ivij-n 

k— — q 



We thus have by multilinearity: 



, A det A 
detn 



where q G O (i(l/3, 3p -I- o(l)) is the precision of the coefficients of Ar. Further- 
more, the computation of det A takes ©(r'^logs \ A\) bit operations (see [14]), where 
O denotes the complexity when we omit the logarithm factors. Therefore, the 
expected time for the computation of det A is in 

d(r^ f<Z + log2|f2| 



since log2 \ A\ ~ max^j {log2aij} < q + log2 Ml- As q is in O (L(l/3, 3/9 + o(l))), 
and as we know from Lemma [TT] that log2 \ ft\ G O (L(l/3,p + o(l))), we have the 
following result on the complexity of Algorithm [2] 

Proposition 17. The complexity of Algorithmic lies 

0(L(l/3,3p + o(l))). 

Now, let us check the validity and the complexity of Algorithm |3] Given an r x i 
submatrix Ai of Ar, we want to determine whether its rows are approximations of 
independant rows. To do this, we compute det(A*Aj) and decide whether this is 
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the approximation of a zero determinant. We use Minkowski's bound, which states 
that 



(7) 



detA*A, > 



where b^i '^ is the non-zero vector of minimal length in the lattice spanned by the 
rows of Ai. For every i, b^^ is the logarithm vector of a unit. In 7 , it is shown 
that for every unit e that is not a root of unity, we have: 

1/2 



(8) 



(^E log 1^1 



> 



21 logn 



128 n2 ■ 

Therefore, we can prove the following proposition: 

Proposition 18. The precision qo — L(l/3, 3p) is accurate enough to ensure the 
validity of Algorithmic whose complexity is in 



0(L(l/3,3p + o(l))). 



Proof. First, we calculate the precision of the value det{AlAi). The coefficients c^,; 
{k, I < i) of A\Ai are given by: 

^kl ~ "'kh"'lh ' 



h<r 



where the a^!/ {k < i,l < r) are the coefficients of We know from LemmafTDthat 
the coefficients of Ai have bit size in O (L(l/3, p + o(l))), thus, using Lemma fT2l 
we prove that the precision of c}j^i (fc, I < i) is still in 0(L(l/3, 3/3 + o(l))). Using 
the same techniques as in Proposition I14[ we prove that the loss of precision we 
encounter during the computation of det{A\Ai) is of 

(z/2+l)log2«log2(|A*A,r-i + l). 

As log2 \AIA,\ e O (L(l/3, 2p + o(l))), this loss of precision is in O (i(l/3, 2p + o(l))) 
as well. We thus have the value of det{AlAi) with a precision q satisfying: 

ge 0(L(l/3,3p + o(l))). 

On the other hand, we have a lower bound on the value of det{AlAi) from the com- 
bination of ([7]) and ([8]) in the case where Ai contains approximations of independent 
rows: 



detiAlA,)>[ — ] - 



21 



2r 



1 f log n 



2r 



If det{AlAi) < 1/2', then it might equal zero, otherwise it is necessarily the approx- 
imation of a strictly non-zero determinant. Furthermore, the bound on det(AlAi) 
satisfies: 

2r' 



log 



(- 

V128 



1 / log n 



We can thus conclude that if det(^*^i 
dependent. 



< nlog(n)(l + o(l)) < q. 



< 1/2', then the rows of Ai are necessarily 

□ 



This allows us to state the following proposition: 
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Proposition 19. The complexity of the computation of R and of the system of 
fundamental units lies in 

0(L(l/3,3p + o(l))). 
In addition, we know the value of R with a precision: 

toeO(L(l/3,3p + o(l)). 

6. SUBEXPONENTIALITY 

In this section, we sliow ttiat we acliieve a subexponential complexity for tlie 
overall running time of the algorithm. Direct application of Proposition [5] with the 
parameters 

/?= ^, d = P 

C= ^, c^k{S + i^ + o{1)), 
shows that the expected number of trials to obtain a relation is at most 

We know that the factor base has size N G 0(L(l/3, p)), thus the complexity of 
the search for N + Kir relations is bounded by: 

^(iA^ + P + o(i; 

The number of 4> in the search space is in O {L{1/3),i^Sk). We thus have the 
following constraint on the parameters: 

r k(i^ + S) 

9 i^6k^^ '-+p. 

3p 

We can prove that the strategy minimizing the overall time is the one where the 
relation collection and the linear algebra take the same time. As the complexity of 
the linear algebra is dominated by the HNF computation which lies is 0(L(l/3, 5p+ 
o(l))), we thus have the additional constraint: 

(10) Ki^5 = 5p. 

From dSl) and fTO]), we obtain: 

5p 

1^0 — — 

K 

. 1262 



Thus, S and v are roots of the polynomial: 

K K 

These roots exist providing we have: 
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The optimal choice is to minimize p, thus fixing the parameters S and v: 




The total running time becomes L(l/3, 5p + o(l)), with: 

^~ y iw 
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